You can configure Netskope One DSPM to automatically sync with your Okta Universal Directory. Doing so allows you control which specific employees are imported, map their directory attributes (both default & custom) to Netskope One DSPM fields, and leverage these employee-specific values to trigger policies. 

This sync can be an one-time activity, or scheduled to refresh Netskope One DSPM data on a regular cadence.

Examples of alerts possible via this feature include:

• Ensure no one in the Marketing department is running queries which return PII.
• Identify specific types of users selecting high volumes of records.
• Closely monitor the behavior of employees on PIP or have given notice.
• Automatically notify your security teams when data usage is detected for terminated employees.

More information on Okta Universal Directory is available here.

Configuring Initial Sync

1. Log into Netskope One DSPM as any user with the “Admin” role.
2. Navigate to User Identity > Employee Management.
3. On the top-right of the screen, click Connect to Directory Service.
4. The Directory Configuration modal is displayed, starting with Choose Directory.
5.  Select Okta as your directory provider. 

Configure the Directory Integration

Provide the Netskope One DSPM platform with details on where & how to access your Okta Universal Directory. This includes optionally configuring Netskope One DSPM to regularly sync with your Okta Universal Directory, so the former is always up-to-date with fresh employee data, including newly-discovered Okta employees. 

1. On the Provide Credentials tab, provide the following information:
   1. Name: this is used within Netskope One DSPM only and can be any friendly name of your choosing.
   2. URL: your Okta Universal Directory’s URL endpoint.
   3. Token: the authorization token for this specific integration, which you can generate within the Okta console under Security > API.
2. If you do not wish to regularly sync your Okta Universal Directory, you can deselect the Sync Enabled toggle. Otherwise, configure the cadence & timing of your choosing.
3. Click the Next button. 
4. The Mapping tab is displayed.

Map Okta Attributes to Netskope One DSPM Fields

On the Mapping tab, you can define mappings between directory attributes and Netskope One DSPM fields. All Okta attributes, both default and custom, are available for mapping. 

For each discovered Okta attribute, the Netskope One DSPM Directory Field Name auto-populates to match. You can override these matches by selecting different source Okta attributes.

Best practice when mapping between systems:

• Map all Expected Database Usernames. If your Okta directory contains a database user name field or Expected DB Usernames field, we recommend mapping it to the Expected Username field. 
  • Include all possible Username permutations (comma-separated) in the Okta attribute for Expected DB Usernames, eg. gwashington, washington,george.
    • This way, Usernames can be leveraged within Netskope One DSPM for the following downstream activities:
      • Linking your directory employees to the Usernames, which Netskope One DSPM discovers while scanning your Data Stores.
      • Over-privilege analysis for said linked employees.
      • Triggering the creation of Alerts & Tasks by matching the database and/or employee user name within Policy Conditions.
• Be sure to map employee status. This way, its value can also be leveraged within Netskope One DSPM to trigger the creation of Alerts & Tasks, such as flagging the continued activity of terminated employees.
• Remove unnecessary mappings. If the Netskope One DSPM destination field is not required (marked with a red asterisk) or used in your Policy Conditions, we recommend you remove its mapping entirely by clicking the Delete icon.
• Do not map your Okta attributes more than once.

Once your mappings are set, click the Next button.

Include / Exclude Specific Employees

After setting up mapping, you will use the Include/Exclude tab to define which employees will be synced to Netskope One DSPM. 

Within Okta, you can group users based on common or shared traits. In turn, you can configure Netskope One DSPM to import all employees, or just those within specific Okta Groups. For example, you might organize all employees with database access into an Okta Group named “Data Owners”, then configure Netskope One DSPM to import just those privileged employees.

There are two methods you can use to sync employee groups from your Okta Universal Directory, manual sync (by selecting Sync Groups) or via CSV upload. Manual syncing supports up to 50,000 Okta Groups, and CSV upload supports unlimited Okta Groups. We recommend using manual sync for less than 1000 groups, and CSV upload for more than 1000 groups.

Sync Groups:

1. Click Sync Groups. Close the modal and sync will run in the background. You will be notified when groups are loaded and ready to select.
2. The left side displays your Okta Group picklist.
3. Use the selectors and include and exclude buttons to decide which Okta Groups to include.

• If you wish to import all, select and include “Everyone”
• Otherwise, select one or more Okta Groups. For example above, only the "Netskope One DSPM-users" group members will be imported into Netskope One DSPM.

4. Once complete, click the Save button. 

CSV Upload:

1.  Click Upload CSV.
2.  Drag and drop or upload your CSV file. 
   1. For guidance on exporting groups and populating the CSV file, read How to export all Groups using Okta API.
   2. The file should only contain the specific Okta Groups you would like to be included in Netskope One DSPM's Employee Management feature.
   3. Note that any duplicate Okta Groups will be automatically de-duped during the sync.
3. Click SAVE to close the modal, and the sync will run and complete in the background.
4.  You'll see the Success banner once your Okta Groups have successfully uploaded.
5.  All uploaded groups will automatically import and sync to the Employee Management page.

Once complete, the Okta Configuration modal will auto-dismiss, and your included Okta employees will now be listed in Netskope One DSPM’s Employee Management screen, specifically within the All Employees tab. This will include any new columns from your mappings. Employees synced from Okta are kept separate from any database users discovered by the Netskope One DSPM platform.

Going forward, the employees listed in the Netskope One DSPM Employee Management screen will reflect the matching Okta Group configurations and be refreshed after every scheduled sync. More information on Okta Groups is available here.

The Un-Linked Users tab is used when mapping imported Employees to the Usernames which Netskope One DSPM has discovered. For more information on this feature, please visit here.

Sync Behavior & Maintenance

Details on your sync schedule are displayed at the top of the Employee Management screen. To make changes to any portion of your configuration, click the Edit icon to once again display the Okta Configuration modal.

Changes made within the source directory will be available within Netskope One DSPM each time a sync is performed. If you delete an employee within your directory, their corresponding record will still remain in Netskope One DSPM, but it will be styled on-screen to provide an indication of this scenario.

If you no longer wish to utilize the directory integration, you can remove it by clicking the Delete icon. Note that doing so will remove all employees previously brought over from Okta, which may affect other platform parts, such as triggering policies.

Limitations

At this time, current limitations include:

• You can connect to a single Okta Universal Directory.
• You can map a single database Username attribute.